Home Arrow Icon Knowledge base Arrow Icon Global Arrow Icon Customizing WordPress security plugins with Nginx
    WordPress security Nginx configuration block PHP files disable script execution Content Security Policy XML-RPC requests restrict access uploads


Customizing WordPress security plugins with Nginx


Customizing WordPress security plugins with Nginx involves configuring the Nginx server to block malicious requests and restrict access to sensitive files and folders. Here are some code samples and explanations to help you achieve this:

1. Blocking Direct Access to PHP Files and Folders 

nginx
# Block direct access to PHP files and folders
location ~* \.php$ {
    deny all;
}

location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)$ {
    deny all;
}

location ~ ^/wp-content/uploads/sucuri {
    deny all;
}

location ~ ^/wp-content/updraft {
    deny all;
}

These blocks prevent direct access to PHP files and folders that should not be accessed from a browser. This includes files like `wp-config.php`, `readme.html`, and `license.txt`, which contain sensitive information. The `wp-content` folder is also restricted to prevent unauthorized access to uploaded files[2][4].

2. Disabling Execution of Scripts Other Than PHP 

nginx
# Disable execution of scripts other than PHP
location ~* .(pl|cgi|py|sh|lua|asp)$ {
    return 444;
}

This block prevents the execution of scripts other than PHP, which can help prevent potential security vulnerabilities[4].

3. Disabling Access to Configuration Files 

nginx
# Disable access to configuration files
location ~* /(wp-config.php|readme.html|license.txt|nginx.conf) {
    deny all;
}

This block restricts access to configuration files that contain sensitive information, such as `wp-config.php`, `readme.html`, `license.txt`, and `nginx.conf`[4].

4. Blocking XML-RPC Requests 

nginx
# Block XML-RPC requests
location /xmlrpc.php {
    deny all;
    access_log off;
    log_not_found off;
    return 444;
}

This block prevents XML-RPC requests, which can be used for malicious purposes like brute-force attacks[4].

5. Configuring Content Security Policy (CSP) 

nginx
# Configure Content Security Policy (CSP)
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';";

This code sets the Content Security Policy (CSP) to restrict the sources of content that can be loaded by the browser. This helps prevent cross-site scripting (XSS) attacks and other security vulnerabilities[5].

6. Disabling Logging for Favicon and Robots.txt 

nginx
# Disable logging for favicon and robots.txt
location = /favicon.ico {
    try_files /favicon.ico @empty;
    access_log off;
    log_not_found off;
    expires max;
}

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
    try_files $uri /index.php?$args;
}

These blocks disable logging for favicon and robots.txt files, which can help reduce server load and improve performance[4].

7. Restricting Access to Uploads Folder 

nginx
# Restrict access to uploads folder
location /wp-content/uploads/ {
    location ~ \.php$ {
        deny all;
    }
}

This block restricts access to the uploads folder, which can help prevent unauthorized access to uploaded files[4].

These code samples demonstrate how you can customize WordPress security plugins with Nginx to improve the security of your WordPress site.

Citations:
[1] https://melapress.com/wordpress-security/
[2] https://gist.github.com/ethanpil/1bfd01a817a8198369efec5c4cde6628
[3] https://blog.wpsec.com/security-in-wordpress-plugin-development/
[4] https://forum.directadmin.com/threads/wordpress-hardening-nginx-config.67763/
[5] https://www.malcare.com/blog/content-security-policy-wordpress/